Office 365 Delegation Using Recipient Write Scope in Exchange Online

Affinity by definition from your dictionary is:

  1. relationship by marriage
  2. close relationship; connection

So are you married to your on-premise Active Directory?

  1. Do you have a connection with it?
  2. What is your relationship to your on-premise infrastructure?
  3. Could you divorce yourself from it and still maintain a secure relationship (maintain your identity) and connection?

After all things are considered, these are good questions to ask yourself before moving services and data to the cloud.

Well, based on delegation, perhaps not. In Office 365, a Global Administrator has the rights to modify all

Tenant functions as long as the tenant has not been delegated to a cloud partner. Global Admins in a midsize business plan have all the rights to modify all Exchange Online and recipient accounts properties, SharePoint Online profiles, site collections and functionality and most of the Skype for Business Online settings. These roles are also assigned to a single user and not a security group

Although Global Admins can add users to other roles in O365, the ability to delegate a scope to just administrate a few users is something used in larger enterprises and available in on-premise AD out of the box. Also, what if you didn’t want a Password Admin in O365 to reset everyone’s password below a Global Admin but only a few users? Scoping is in Exchange Online but not O365 roles.

To give delegated rights to a junior admin in Exchange Online and to target a specific recipient we will need to use two tasks in PowerShell: create custom write scopes then create a role group to assign the scope to. But first here are few comparisons showing what the cloud may not offer you:

 

 

These Services by themselves, Exchange Online, Skype for Business and SharePoint, have their own High Level Security Group assignments within Office 365. Here is a Global Admin Login showing all available in lower right of Office O365 Admin Console.

 

 Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-1

By definition, each assigned administrator role can modify most functionality over all the Active Users. So although there are delegated roles within Exchange Online, as in Recipient Manager, scoping administration to just a few users in the system or having a separate administrator for two different sets of accounts within one tenant is still not fully functional going in.

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-2

Here we will look at supporting two different domains in one tenant account and delegating a different administrator to each namespace/domain.

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-3

After Assigning Mike the Exchange Admin in O365 shown above, he does not have the right to create accounts in Office 365. This right will still be reserved by the Global Admin and/or User Management Admin. We are just using Cloud Identity for this process.

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-4

Giving Mike the Exchange Admin right still gives him no ability to create recipients in EOL but he does have access to only licensed accounts and can modify all of them. As you see above, we have two domain names. I need Mike to administrate just the Labclass.com users. Before limiting his rights he can modify all domain accounts.

Step 1: The first thing we need to do here is import the Office 365 module (the Windows Azure Active Directory Module for Windows PowerShell). After having the AAD Module installed, run this command in Windows PowerShell.

  • Import-Module MsOnline

Then use connect-msolservice and use your global admin login credentials.

Also, load the Exchange Online PS Module using this link or copy the 5 lines below to a PS script with a ps1 extension and run.

Set-ExecutionPolicy RemoteSigned

$UserCredential = Get-Credential

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://ps.outlook.com/powershell -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

To see who has the attribute we are looking for in the Azure AD PowerShell Module run:

Get-MsolUser -All | where-object {$_.Userprincipalname -like “*@labclass.biz”}

Or for Exchange Online:

Get-Mailbox | where-object {$_.Userprincipalname -like “*@labclass.biz”}

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-5Once you have found all the users that have the domain name, Mike will administrate:

Step 2: We will apply a filter for delegation to the accounts with the custom attribute by running this command

PS C:\> Get-MsolUser | where-object {$_.Userprincipalname -like “*@labclass.biz”} | Set-MsolUser -Department “Labclass”

Or for Exchange Online:

Get-Mailbox | where-object {$_.Userprincipalname -like “*@labclass.biz”}  | set-mailbox –customattribute1 “Labclass”

Step 3: Now check to make sure the attribute is applied.

Get-MsolUser -All | where-object {$_.Userprincipalname -like “*@labclass.biz”} |FL Userprincipalname, Department

Or for Exchange Online:

Get-Mailbox | where-object {$_.Userprincipalname -like “*@labclass.biz”} | FL name, Customattribute1

Or:

Get-Recipient -Filter {Customattribute1 -eq “Labclass”}

Now that we have the attributes setup on the Users, Mike will administrate:

Step 4: We will setup the Scope and RecipientRestrictionFilter

PS C:\> New-ManagementScope “Labclass Admin” -RecipientRestrictionFilter { Department -Eq “Labclass” }

Or for CustomAttribute1:

PS C:\> New-ManagementScope “Labclass Admin Custom1” -RecipientRestrictionFilter { Customattribute1 -Eq “Labclass” }

Step 5: Now we will setup the New Role group and apply the Scope and RecipientRestrictionFilter to it by running this command using the Department filter.

New-RoleGroup -Name “Labclass Admins” -Roles “Mail Recipients”, “Reset Password”, “Distribution Groups”, “Mail Recipient Creation”  -CustomRecipientWriteScope “Labclass Admin”

Below, logged in as a Global Admin we add Mike to the Custom Labclass Admin role group in Exchange Online.

Notice the Write Scope is assigned already from the prior PowerShell command run in Step 5.

 Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-6

 Shown above, We have removed Mike from all Office 365 roles and just have Mike assigned in Exchange Online to the

Custom Labclass Admins Role with a custom write scope.

Mike will log in to Exchange Online directly (he will not have an Admin Tile on his Office 365 login).

He will login to Exchange Online directly go here: https://outlook.office365.com/ecp/.

After login, Mike can edit all users with the Labclass attribute (see below). Settings are not greyed out.

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-7

The image below shows Mike trying to access an account that does not have the Labclass attribute. All settings are greyed out.

Directions-Training-Delegation-Using-Recipient-Write-Scope-RBAC-Exchange-Online-Office-365-8

We have succeeded in applying a write scope so that Mike can only administrate certain users based on an attribute. This role assignment is done in Exchange Online and not applied through Office 365 roles.

In summation, a Global Admin or someone assigned the User Management Admin roles are globally scoped, they get an Admin tile to add to their O365 log in and have no filter applied that allows them to only create or administrate certain users. They would create the Users and apply the filter and then it would be delegated down to a write scope like we have applied to Mike in Exchange Online. If a user is in both User management Admin and Exchange Online Admin role groups, the scope in Exchange Online is in place but the O365 Roles are still global.

If you have others ways of doing it, leave a comment below. I would be happy to hear from you.

Leave a Reply